-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image is still built even if GPG signature verification fails #3565
Comments
@arjunak234 I cannot find an option in |
Can't debootstrap be used to generate the image? This is a security risk. From the log output above, the files are being fetched over HTTP(without TLS). Someone who can compromise HTTP traffic or a debian mirror will now have root access to all your newly built containers. Also the " |
No and yes, maybe. Using debootstrap is incompatible with mkosi's architecture of using the package manager alone acting from outside the image. mkosi used debootstrap before and moved away from it many years ago. You may be able to use Also, looking at what
Then use a mirror with HTTPS or make a local mirror, but we can only support what apt supports, so please open a bug against apt to add an option to fail loudly when it cannot verify signatures.
The message is unrelated to this, we can change that to make it clear that it's about something different. |
Can mmdebstrap be used then?
From what i can understand, by default it will try to use the keyring and HTTP. If the keyring is missing it will fallback to HTTPS. This option disables that fallback. |
Why? It's man page lists that --force-check-gpg is not supported. That's because what mmdebstrap does is more or less identical to what we do in mkosi.
Please work with the apt developers to have an option added to apt that disables the fallback and we will gladly enable it in mkosi. |
mkosi commit the issue has been seen with
25.3
Used host distribution
Debian Testing
Used target distribution
Debian stable
Linux kernel version used
NA
CPU architectures issue was seen on
x86_64
Unexpected behaviour you saw
This can be reproduced by replacing the debian keyring file with some other key.
cp /usr/share/keyrings/archlinux.gpg /usr/share/keyrings/debian-archive-keyring.gpg
The build process shows some verification errors but does not stop the image from being built. If debootstrap is used instead, it will exit with an error as expected
Used mkosi config
mkosi output
The text was updated successfully, but these errors were encountered: